Code Monkey home page Code Monkey logo

archerysec-cli's Introduction

Follow Archery on Twitter

PyPI - License PyPI - Django Version Travis-ci CII Best Practices

Road Map BlackHat USA Arsenal 2018 BlackHat Asia Arsenal 2018 DEFCON 26 Demolabs

Support.

Your generous donations will keep us motivated.

Paypal: Donate via Paypal

Archery

ArcherySec allow to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results. Its include prioritization functions, enabling you to focus on the most critical vulnerabilities. ArcherySec uses popular opensource tools to perform comprehensive scanning for web application and network. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

Documentation

Demo

Overview

Overview of the tool

  • Perform Web and Network vulnerability Scanning using opensource tools.
  • Correlates and Collaborate all raw scans data, show them in a consolidated manner.
  • Perform authenticated web scanning.
  • Perform web application scanning using selenium.
  • Vulnerability Management.
  • Enable REST API's for developers to perform scanning and Vulnerability Management.
  • JIRA Ticketing System.
  • Sub domain discovery and scanning.
  • Periodic scans.
  • Concurrent scans.
  • Useful for DevOps teams for Vulnerability Management.

Requirements

OpenVAS

You can follow the instructions to install OpenVAS from Hacker Target

Note that, at this time, Archery generates a TCP connection towards the OpenVAS Manager (not the GSA): therefore, you need to update your OpenVAS Manager configuration to bind this port. Its default port (9390/tcp), but you can update this in your settings.

OWASP Zap

Also known as Zaproxy. Simply download and install the matching package for your distro from the official Github Page.

Systemd service file is available in the project.

Burp Scanner

Follow the instruction in order to enable Burp REST API.

Configure REST API endpoint in ArcherySec Settings

SSLScan

Simply install SSLScan from your package manager.

Nikto

Simply install Nikto from your package manager.

NMAP Vulners

Simply get the NSE file to the proper directory:

cd /usr/share/nmap/scripts/
sudo wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

********* DO NOT EXPOSE PUBLICLY, INTERNAL USE ONLY **********

Restrict ArcherySec signup page on production.

  • Edit file webscanners/web_views.py
  • Search def signup function and comment @public decorator
  • Edit file archeryapi/views.py
  • Search def class CreateUsers and comment @public decorator
  • Edit file archerysecurity/settings/base.py
  • Search STRONGHOLD_PUBLIC_URLS
  • Comment r'^/api/createuser/$',

Installation

export TIME_ZONE='Asia/Kolkata'

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ NAME=User [email protected] PASSWORD=admin@123A bash setup.sh
$ ./run.sh

Windows installation

set TIME_ZONE='Asia/Kolkata'

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ setup.bat
$ run.bat

Note on installation for developers and contributors

If you wish to contribute to the project, make sure you are using requirements-dev.txt and run this command once you have installed the requirements

pre-commit install

This will automatically check for code linting and rules used on this project and if everything is correct, the commit will be made.

Note on manual and automated installation

If you are running the code directly without setting DJANGO_SETTINGS_MODULE, this will default to using archerysec.settings.base. all defaults will be used in this case and for customizing options you can copy local_settings.sample.py to local_settings.py

Docker option should use environment variables to set different settings of the container.

Docker Installation

ArcherySec Docker is available from ArcherySec Docker

$ docker pull archerysec/archerysec
$ docker run -e NAME=user -e [email protected] -e PASSWORD=admin@123A  -it -p  8000:8000 archerysec/archerysec:latest

# Docker Alpine image 
$ docker pull archerysec/archerysec:alpine
$ docker run -e NAME=user -e [email protected] -e PASSWORD=admin@123A  -it -p 8000:8000 archerysec/archerysec:alpine

# For persistence

docker run -it -p 8000:8000 -v <your_local_dir>:/archerysec archerysec/archerysec:latest

Using ArcherySec through docker compose

This is the simplest way to get things running. For the time being the docker-compose.yml is focused on development configuration but with some changes you can get a production ready definition.

Running the following command will get you all the services up, creates a postgres db and connects ArcherySec with it.

$ docker-compose up -d

Configure Serverless on AWS

Deploy ArcherySec as a Serverless on AWS using Zappa

Environment variables for this project

The following environment variables are used to change behaviour of the container settings

TIME_ZONE

export TIME_ZONE='Asia/Kolkata'

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

DB_PASSWORD

Database password for the postgres db server

DB_USER

Database user for the postgres db server

DB_NAME

Database name for the postgres db server

DJANGO_SETTINGS_MODULE

Django setting to use. currently this can be set to archerysecurity.settings.development or archerysecurity.settings.production depending on your needs

DJANGO_SECRET_KEY

Always generate and set a secret key for you project. Tools like this one can be used for this purpose

DJANGO_DEBUG

Set this variable to 1 if debug should be enabled

ARCHERY_WORKER

This variable is used to tell the container it has to behave as a worker to process tasks and not as a web server running on port 8000. Set it to True if you want to run on this mode.

EMAIL_HOST

export EMAIL_HOST='smtp.xxxxx.com'

EMAIL_USE_TLS

export EMAIL_USE_TLS=True

Set this variable to True or False

EMAIL_PORT

export EMAIL_PORT=587

Set this variable to SMTP port.

EMAIL_HOST_PASSWORD

export EMAIL_HOST_PASSWORD='password'

Set this variable to SMTP Password.

EMAIL_HOST_USER

export EMAIL_HOST_USER='[email protected]'

Set this variable to SMTP Email.

Setup third-party integrations

ZAP running daemon mode

Locate your ZAP startup script, and execute it using the options detailed below.

Windows :

zap.bat -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Others :

zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Zap Setting

  1. Go to Setting Page
  2. Edit ZAP setting or navigate URL : http://host:port/webscanners/setting_edit/
  3. Fill below required information.
    • Zap API Key: Leave blank if you using ZAP as daemon api.disablekey=true
    • Zap API Host: Your zap API host ip or system IP Ex. 127.0.0.1 or 192.168.0.2
    • Zap API Port: ZAP running port Ex. 8080

OpenVAS Setting

  1. Go to setting Page
  2. Edit OpenVAS setting or navigate URL: http://host:port/networkscanners/openvas_setting
  3. Fill all required information and click on save.

Road Map

  • Scanners parser & Plugin

    • Nessus (XML)
    • Webinspect (XML)
    • Acunetix (XML)
    • Netsparker (XML)
    • OWASP ZAP (XML) & (Plugin)
    • Burp Pro Scanner (XML)
    • Arachni (XML) & (Plugin)
    • OpenVAS (XML) & (Plugin)
    • Bandit Scan (XML)
    • Dependency Check (XML)
    • FindBugs (XML)

    More Scanners

Lead Developer

Anand Tiwari

Social Media

archerysec-cli's People

Contributors

anandtiwarics avatar dependabot[bot] avatar sourabhgupta385 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

sourabhgupta385 marcianobarros20

archerysec-cli's Issues

Error when upload gitlabSAST report

when I upload gitlabsast json report to archerysec is alwayserror ,I also try the document example json file ,then I got the same
I try python3.9.0 and python 3.9.6 is always error ,and I use pip to install archerysec-cli pip3 install archerysec-cli



                    _                      _____
     /\            | |                    / ____|
    /  \   _ __ ___| |__   ___ _ __ _   _| (___   ___  ___
   / /\ \ | '__/ __| '_ \ / _ \ '__| | | |\___ \ / _ \/ __|
  / ____ \| | | (__| | | |  __/ |  | |_| |____) |  __/ (__
 /_/    \_\_|  \___|_| |_|\___|_|   \__, |_____/ \___|\___|
                                     __/ |
                                    |___/

Copyright (C) 2023 ArcherySec CLI v3.1.14
Traceback (most recent call last):
  File "/usr/local/bin/archerysec-cli", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/archerysec_cli/cli/cli.py", line 468, in main
    scan_action()
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/archerysec_cli/cli/cli.py", line 108, in scan_action
    upload_report(
  File "/usr/local/lib/python3.9/site-packages/archerysec_cli/cli/cli.py", line 250, in upload_report
    scan_data = archerysec.json_upload(file=report_path)
  File "/usr/local/lib/python3.9/site-packages/archerysec_cli/util/api.py", line 65, in json_upload
    return send_request.json()
  File "/usr/local/lib/python3.9/site-packages/requests/models.py", line 900, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/local/lib/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/local/lib/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/lib/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

This my command

archerysec-cli -h http://127.0.0.1:8000 -t 45F1i7ITBP24qSSKXq7HlVK_loyZszMKpRVnX0c0Y5VI_76hWNSxbtCvXET75We5 -p test.json --file-type=JSON --target=ASFLKSF --scanner=gitlabsast --project=9caa156-3b18-4815-8ee6-58bd2a036299 --upload

I need the help please~
have a good day
Joy

Error while publishing nodejsscan and trivy reports

Reports are generated in Jenkins using:

sh "njsscan src --json -o 'nodejs-scanner-report.json'"
sh script: 'TRIVY_NEW_JSON_SCHEMA=true trivy --cache-dir /tmp/trivy image --format json -o trivy-report.json --input hello_world_${BUILD_NUMBER}.tar'

Reports are published using:

sh "archerysec-cli -s ${properties.ARCHERYSEC_HOST_URL} -u ${ARCHERYSEC_USERNAME} -p ${ARCHERYSEC_PASSWORD} --upload --file_type=JSON --file=trivy-report.json --TARGET=DVNA_TRIVY --scanner=trivy --project_id=655016af-2e40-47da-b4e2-da91db041fda"

Output

<title>TypeError at /api/uploadscan/</title> 
sh "archerysec-cli -s ${properties.ARCHERYSEC_HOST_URL} -u ${ARCHERYSEC_USERNAME} -p ${ARCHERYSEC_PASSWORD} --upload --file_type=JSON --file=nodejs-scanner-report.json --TARGET=DVNA_NODEJSSCAN --scanner=nodejsscan --project_id=655016af-2e40-47da-b4e2-da91db041fda"

Output

<title>KeyError at /api/uploadscan/</title>

On the console, everything is showing as none for trivy and nodejsscan as below:

image

Did anyone tried publishing trivy and nodejsscan reports using CLI?

null problem

I'm having trouble with archerysec right now.

We can create project using CLI commands:

$ archerysec-cli -s http://192.168.222.131:8000 -u Bank -p 123456 --createproject
--project_name=test_project --project_disc="test project" --project_start=2021-07-30
--project_end=2021-07-30 --project_owner=Bank

Output:

{"message": "Project Created", "project_id": "4b4303bc-2cd6-4212-8801-231e8b10be6d"}
We can launch scan(s) using CLI:

$ archerysec-cli -s http://192.168.222.131:8000 -u Bank -p 123456
--zapscan --target_url=http://demo.testfire.net
--project_id=4b4303bc-2cd6-4212-8801-231e8b10be6d

Output:

null

I'm not sure if I forgot to install something or forgot to add something.
hphQaq40
ImcE93gz

Uploading report fails

Hello,

I'm trying to upload a Dependency Check report using admin credentials, but I'm getting an Authentication error message.

Version used: '3.1.4'

Command used to upload:

archerysec-cli -s http://myarcherysechost -u admin -p adminpwd --upload --file_type=XML --file=dependency-check-report.xml --TARGET="poc-node" --project_id=nnnnnn --scanner=dependencycheck

Error message:

{"detail":"Authentication credentials were not provided."}

I would appreciate any guide on the matter,

Thank you!

ps: also I'm not very sure about using --scanner=dependencycheck due to the info display on the help

 --scanner=SCANNER   Select scanners [ zap_scan, burp_scan, arachni,
                        netsparker, webinspect, banditscan]

ps2: downgrading to "3.1.2" version solved my problem

Report upload fails

I have exported report in JSON format, using archerysec GUI.
Then I wanted to re-import same JSON file using archerysec-cli. But it looks like it fails:

` archerysec-cli -s http://xxx.xxx.xxx.xxx:9000 -u admin -p xxxxxxxx --upload --file=report_arachni.json --TARGET="https://xxxxxxxxx/" --file_type=JSON --scanner=arachni --project_id="81111111-1111-1111-1116-111111111111"1

And here is the result:
image

Upload/Import files are not working

I found the source of issues mentioned here #2 (comment).

The issue is improper usage of the Authorization header!!!
The archerysec-cli is used:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhb...

instead of:
Authorization: JWT eyJ0eXAiOiJK....

Once I manually changed the header in the POST request - it works properly.

Also, changed the code here:
./lib/python3.8/site-packages/archerysec_cli/cli.py: headers = {'Authorization': 'Bearer ' + token}

to:
./lib/python3.8/site-packages/archerysec_cli/cli.py: headers = {'Authorization': 'JWT ' + token}

Upload Dependency-Check XML Failed

Hi all,
Could you please help me?
I have a Dependency-Check XML Report and I use the command to upload report

archerysec-cli -h http://127.0.0.1:8000 -t b-phbNlxOkWPNxwBqrgkwkPZBUfY5kT9DkqGSKXOqG31cM0ggcIrp-W7ozcRyH5C --upload --path=/opt/deploy/dpreport20230816.xml --file-type=XML --target=ASFLKSF --scanner=dependencycheck --project=75d730ea-d593-4fca-b416-7f1d028e4df6

And the error message here:

Copyright (C) 2023 ArcherySec CLI v3.1.14
Traceback (most recent call last):
File "/usr/local/bin/archerysec-cli", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/dist-packages/archerysec_cli/cli/cli.py", line 468, in main
scan_action()
File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 829, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.9/dist-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/archerysec_cli/cli/cli.py", line 108, in scan_action
upload_report(
File "/usr/local/lib/python3.9/dist-packages/archerysec_cli/cli/cli.py", line 253, in upload_report
scan_data = archerysec.xml_upload(file=report_path)
File "/usr/local/lib/python3.9/dist-packages/archerysec_cli/util/api.py", line 84, in xml_upload
return send_request.json()
File "/usr/local/lib/python3.9/dist-packages/requests/models.py", line 900, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib/python3/dist-packages/simplejson/init.py", line 518, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 370, in decode
obj, end = self.raw_decode(s)
File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 400, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
File "/usr/lib/python3/dist-packages/simplejson/scanner.py", line 79, in scan_once
return _scan_once(string, idx)
File "/usr/lib/python3/dist-packages/simplejson/scanner.py", line 70, in _scan_once
raise JSONDecodeError(errmsg, string, idx)
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

I try to use ArcherySec (Web Portal) to upload "dpreport20230816.xml" and it's successfully. I try download the template report from here https://raw.githubusercontent.com/archerysec/report-sample/main/Dependency-check/dependency-check-report_v5.2.1.xml but I got the same results. Please help me.

archerysec-cli FAILED
Acherysec - WebPortal - OK

How export report in XML/CSV format

I have checked archerysec-cli otuput, and because it does not provide accurate results (Under Zap Scans help section I could find --arachni command used to 'Launch Arachni Scan').

Hence my question here.
How can I export scan results in XML and CSV format using archerysec-cli for:

  • zap scan
  • arachni
  • burp
  • nikto

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.